Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
爱吃血肠
spring-framework
提交
299b7766
S
spring-framework
项目概览
爱吃血肠
/
spring-framework
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
S
spring-framework
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
299b7766
编写于
9月 21, 2015
作者:
S
Sebastien Deleuze
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Allow same-origin WebSocket/SockJS requests once origin is set
Issue: SPR-13464
上级
f60bd256
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
38 addition
and
7 deletion
+38
-7
spring-websocket/src/main/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptor.java
...web/socket/server/support/OriginHandshakeInterceptor.java
+1
-1
spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
...work/web/socket/sockjs/support/AbstractSockJsService.java
+2
-3
spring-websocket/src/test/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptorTests.java
...ocket/server/support/OriginHandshakeInterceptorTests.java
+12
-1
spring-websocket/src/test/java/org/springframework/web/socket/sockjs/support/SockJsServiceTests.java
...amework/web/socket/sockjs/support/SockJsServiceTests.java
+11
-2
spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java
...t/sockjs/transport/handler/DefaultSockJsServiceTests.java
+12
-0
未找到文件。
spring-websocket/src/main/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptor.java
浏览文件 @
299b7766
...
...
@@ -93,7 +93,7 @@ public class OriginHandshakeInterceptor implements HandshakeInterceptor {
@Override
public
boolean
beforeHandshake
(
ServerHttpRequest
request
,
ServerHttpResponse
response
,
WebSocketHandler
wsHandler
,
Map
<
String
,
Object
>
attributes
)
throws
Exception
{
if
(!
WebUtils
.
isValidOrigin
(
request
,
this
.
allowedOrigins
))
{
if
(!
WebUtils
.
is
SameOrigin
(
request
)
&&
!
WebUtils
.
is
ValidOrigin
(
request
,
this
.
allowedOrigins
))
{
response
.
setStatusCode
(
HttpStatus
.
FORBIDDEN
);
if
(
logger
.
isDebugEnabled
())
{
logger
.
debug
(
"Handshake request rejected, Origin header value "
...
...
spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
浏览文件 @
299b7766
...
...
@@ -448,13 +448,12 @@ public abstract class AbstractSockJsService implements SockJsService, CorsConfig
protected
boolean
checkOrigin
(
ServerHttpRequest
request
,
ServerHttpResponse
response
,
HttpMethod
...
httpMethods
)
throws
IOException
{
String
origin
=
request
.
getHeaders
().
getOrigin
();
if
(
origin
==
null
)
{
if
(
WebUtils
.
isSameOrigin
(
request
))
{
return
true
;
}
if
(!
WebUtils
.
isValidOrigin
(
request
,
this
.
allowedOrigins
))
{
String
origin
=
request
.
getHeaders
().
getOrigin
();
logger
.
debug
(
"Request rejected, Origin header value "
+
origin
+
" not allowed"
);
response
.
setStatusCode
(
HttpStatus
.
FORBIDDEN
);
return
false
;
...
...
spring-websocket/src/test/java/org/springframework/web/socket/server/support/OriginHandshakeInterceptorTests.java
浏览文件 @
299b7766
...
...
@@ -114,7 +114,7 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
}
@Test
public
void
sameOriginMatch
()
throws
Exception
{
public
void
sameOriginMatch
WithEmptyAllowedOrigins
()
throws
Exception
{
Map
<
String
,
Object
>
attributes
=
new
HashMap
<
String
,
Object
>();
WebSocketHandler
wsHandler
=
Mockito
.
mock
(
WebSocketHandler
.
class
);
this
.
servletRequest
.
addHeader
(
HttpHeaders
.
ORIGIN
,
"http://mydomain2.com"
);
...
...
@@ -124,6 +124,17 @@ public class OriginHandshakeInterceptorTests extends AbstractHttpRequestTests {
assertNotEquals
(
servletResponse
.
getStatus
(),
HttpStatus
.
FORBIDDEN
.
value
());
}
@Test
public
void
sameOriginMatchWithAllowedOrigins
()
throws
Exception
{
Map
<
String
,
Object
>
attributes
=
new
HashMap
<
String
,
Object
>();
WebSocketHandler
wsHandler
=
Mockito
.
mock
(
WebSocketHandler
.
class
);
this
.
servletRequest
.
addHeader
(
HttpHeaders
.
ORIGIN
,
"http://mydomain2.com"
);
this
.
servletRequest
.
setServerName
(
"mydomain2.com"
);
OriginHandshakeInterceptor
interceptor
=
new
OriginHandshakeInterceptor
(
Arrays
.
asList
(
"http://mydomain1.com"
));
assertTrue
(
interceptor
.
beforeHandshake
(
request
,
response
,
wsHandler
,
attributes
));
assertNotEquals
(
servletResponse
.
getStatus
(),
HttpStatus
.
FORBIDDEN
.
value
());
}
@Test
public
void
sameOriginNoMatch
()
throws
Exception
{
Map
<
String
,
Object
>
attributes
=
new
HashMap
<
String
,
Object
>();
...
...
spring-websocket/src/test/java/org/springframework/web/socket/sockjs/support/SockJsServiceTests.java
浏览文件 @
299b7766
...
...
@@ -121,13 +121,17 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
assertEquals
(
",\"origins\":[\"*:*\"],\"cookie_needed\":true,\"websocket\":true}"
,
body
.
substring
(
body
.
indexOf
(
','
)));
this
.
service
.
setAllowedOrigins
(
Arrays
.
asList
(
"http://mydomain1.com"
));
resetResponseAndHandleRequest
(
"GET"
,
"/echo/info"
,
HttpStatus
.
FORBIDDEN
);
resetResponseAndHandleRequest
(
"GET"
,
"/echo/info"
,
HttpStatus
.
OK
);
this
.
service
.
setAllowedOrigins
(
Arrays
.
asList
(
"http://mydomain1.com"
,
"http://mydomain2.com"
,
"http://mydomain3.com"
));
resetResponseAndHandleRequest
(
"GET"
,
"/echo/info"
,
HttpStatus
.
OK
);
this
.
service
.
setAllowedOrigins
(
Arrays
.
asList
(
"*"
));
resetResponseAndHandleRequest
(
"GET"
,
"/echo/info"
,
HttpStatus
.
OK
);
this
.
servletRequest
.
setServerName
(
"mydomain3.com"
);
this
.
service
.
setAllowedOrigins
(
Arrays
.
asList
(
"http://mydomain1.com"
));
resetResponseAndHandleRequest
(
"GET"
,
"/echo/info"
,
HttpStatus
.
FORBIDDEN
);
}
@Test
// SPR-11443
...
...
@@ -176,7 +180,8 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
assertNotNull
(
this
.
service
.
getCorsConfiguration
(
this
.
servletRequest
));
this
.
service
.
setAllowedOrigins
(
Arrays
.
asList
(
"http://mydomain1.com"
));
resetResponseAndHandleRequest
(
"OPTIONS"
,
"/echo/info"
,
HttpStatus
.
FORBIDDEN
);
resetResponseAndHandleRequest
(
"OPTIONS"
,
"/echo/info"
,
HttpStatus
.
NO_CONTENT
);
assertNotNull
(
this
.
service
.
getCorsConfiguration
(
this
.
servletRequest
));
this
.
service
.
setAllowedOrigins
(
Arrays
.
asList
(
"http://mydomain1.com"
,
"http://mydomain2.com"
,
"http://mydomain3.com"
));
resetResponseAndHandleRequest
(
"OPTIONS"
,
"/echo/info"
,
HttpStatus
.
NO_CONTENT
);
...
...
@@ -185,6 +190,10 @@ public class SockJsServiceTests extends AbstractHttpRequestTests {
this
.
service
.
setAllowedOrigins
(
Arrays
.
asList
(
"*"
));
resetResponseAndHandleRequest
(
"OPTIONS"
,
"/echo/info"
,
HttpStatus
.
NO_CONTENT
);
assertNotNull
(
this
.
service
.
getCorsConfiguration
(
this
.
servletRequest
));
this
.
servletRequest
.
setServerName
(
"mydomain3.com"
);
this
.
service
.
setAllowedOrigins
(
Arrays
.
asList
(
"http://mydomain1.com"
));
resetResponseAndHandleRequest
(
"OPTIONS"
,
"/echo/info"
,
HttpStatus
.
FORBIDDEN
);
}
@Test
// SPR-12283
...
...
spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java
浏览文件 @
299b7766
...
...
@@ -174,6 +174,18 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
assertEquals
(
403
,
this
.
servletResponse
.
getStatus
());
}
@Test
// SPR-13464
public
void
handleTransportRequestXhrSameOrigin
()
throws
Exception
{
String
sockJsPath
=
sessionUrlPrefix
+
"xhr"
;
setRequest
(
"POST"
,
sockJsPrefix
+
sockJsPath
);
this
.
service
.
setAllowedOrigins
(
Arrays
.
asList
(
"http://mydomain1.com"
));
this
.
servletRequest
.
addHeader
(
HttpHeaders
.
ORIGIN
,
"http://mydomain2.com"
);
this
.
servletRequest
.
setServerName
(
"mydomain2.com"
);
this
.
service
.
handleRequest
(
this
.
request
,
this
.
response
,
sockJsPath
,
this
.
wsHandler
);
assertEquals
(
200
,
this
.
servletResponse
.
getStatus
());
}
@Test
public
void
handleTransportRequestXhrOptions
()
throws
Exception
{
String
sockJsPath
=
sessionUrlPrefix
+
"xhr"
;
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录